3 Risk Assessment Myths, Busted

Say the phrase “risk assessment” to any IT professional and watch the cynical eye rolling commence. It’s not that we don’t think risk assessments are important, but they’re yet another thing to add to the IT task list.

There are a lot of assumptions about risk assessments:

Some see little benefit from them because they confirm what everyone already seems to know (patching is an issue, vendor remote access is a black hole of access control — let’s not even start).

Sometimes they are perceived as a measure of how well people do their work. Interviews can result in less-than-frank answers.

Risk assessments can only be completed annually.

These assumptions are all false, however, and I’m here to tell you why.

The Value of Daily Risk Assessments

Few people realize that risk assessments happen daily in IT.

Don’t believe me? An IT analyst who looks through antivirus logs performs a mini risk assessment when they focus on a possible key logger rather than the Trojan Generic. They know the Trojan is normally a false-positive and the new signature on the key logger may be a bigger risk, so they prioritize the latter; this is a risk assessment.

A common misconception is that risk assessments are also evaluating the quality of the work by IT staff since the results of an assessment may identify gaps in documentation, workflows or tool implementation. While the result may identify gaps in IT controls, the gaps are not a critique of a job performance, but reflect the maturity of the organization overall or constitute a reflection of strained resources — human and financial. It is therefore important that the interviews that are the basis of a risk assessment are performed with honesty on both sides.

Company-Wide Risk Assessments

At a company level, third party vendors such as Agio often perform formal risk assessments annually. This mostly happens because (again) of resources.

Based on which gaps Agio identifies and the risk ranking presented in the corrective action plan, the company leadership will have to prioritize. In my experience, the talk quickly turns to low-hanging fruit like filling documentation gaps.

Other risks — such as implementing patching or finding a security information and event management (SIEM) software — take money and need to be budgeted for long-term. You may also need to find trained staff to handle these tools and select a vendor whom you trust to outsource your network security to.

Solutions to Risk There are four basic solutions to risk. It can be:

Accepted

Transferred

Mitigated

Avoided

In the IT world, avoiding is pretty much impossible. There is no cure for the constant attacks. That leaves companies with three true choices, and many choose to transfer risk using insurance.

But some risks need to be accepted or mitigated until they’ve reached a lower, more acceptable risk level. For this reason, a company should include a SIEM purchase in the roadmap so eventually it can be implemented. Until then, internal staff can do more log review to limit the impact of lacking a SIEM.

I’m an IT professional — I know daily log review can seem laughable to understaffed IT departments with to-do lists longer than my arm. (Major changes take time and money.) My point is, a years-long SIEM gap does not mean risk assessments are useless.

My Best Risk Assessment Tip

Regardless of whether you’re a single IT analyst or a large hedge fund undergoing a firm-wide risk assessment, you should prioritize communication in the risk assessment process.

Having these communications will ensure that the risk assessment is seen as what it is by all involved – a means to improve the security of the company. This process requires honesty during the interviews, clear communication of the results and how the company plans to tackle the gaps and sometimes patience from all involved because significant changes to a company may require several risk assessments for the time to be right to invest in security. In the end, the goal of the assessor is to use the risk assessments as means to help the company reduce security gaps and should therefore be approached in a open, collaborative fashion.